curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

feat(threat-hunting): Veeam credential extraction

This commit is contained in:
Ming Di Leom 2025-08-06 11:31:55 +00:00
parent 665846fa33
commit a1a8f6c44b
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
source/threat-hunting/index.md
View File

@ -116,6 +116,7 @@ updated: 2025-08-03
- [Unusual printui.exe path](unusual-printui-exe-path)
- [User Login with Local Credentials](user-login-with-local-credentials)
- [VSCode tunnel](vscode-tunnel)
- [Veeam credential extraction](veeam-credential-extraction)
- [Volt Typhoon IOC](volt-typhoon-ioc)
- [Volume Shadow Copy](volume-shadow-copy)
- [Volume Shadow Delete](volume-shadow-delete)

12
source/threat-hunting/veeam-credential-extraction.md Normal file
View File

@ -0,0 +1,12 @@
---
title: Veeam credential extraction
layout: page
date: 2025-08-06
---
References: [1](https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/)
SPL:
```spl
| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name="psql.exe" Processes.process="*VeeamBackup*" Processes.process IN ("*password*", "*credentials*") BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
```